BackdoorDiplomacy: A Detailed Analysis of a Chinese APT Group

Introduction

BackdoorDiplomacy is a well-known Advanced Persistent Threat (APT) group that has been active since at least 2010. The group is believed to be based in China and has been linked to a number of cyber espionage campaigns targeting government and diplomatic entities across North America, South America, Africa, and the Middle East. The group is also known by several other names such as APT15, KeChang, NICKEL, and Vixen Panda.

BackdoorDiplomacy is known for its use of sophisticated tactics and techniques to infiltrate targeted networks and evade detection. The group has been found to use a combination of both open-source and custom-built tools to conduct its operations. The group has been observed using various types of malware, including backdoors, implants, and trojans, to gain a foothold in targeted networks.

One of the key characteristics of BackdoorDiplomacy is its focus on remaining undetected for extended periods. The group has been known to use a range of techniques to evade detection, including the use of living-off-the-land tactics, which involve using existing binaries, scripts, or libraries that are already present on a target system. This approach enables the group to avoid detection by modern prevention security controls and allows it to remain active within a targeted network for an extended period.

BackdoorDiplomacy has been linked to a number of high-profile attacks in recent years. In June 2021, Slovak cybersecurity firm ESET reported on intrusions mounted by the group against diplomatic entities and telecommunications companies in Africa and the Middle East using a custom implant known as Turian. In December 2021, Microsoft announced that it had seized 42 domains operated by the group in its attacks targeting 29 countries. The group has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022.

Overall, BackdoorDiplomacy is a highly sophisticated and well-funded APT group that poses a significant threat to government and diplomatic entities across the globe. The group's focus on remaining undetected for extended periods and its use of sophisticated tactics and techniques make it a formidable adversary that requires advanced detection and response capabilities to protect against.America, Africa, and the Middle East.

KeChang, Nickel and Vixen Panda.

Tactics, Techniques, and Procedures (TTPs)

BackdoorDiplomacy has been known to use a variety of different TTPs in its cyber espionage campaigns. Some of the most commonly used TTPs associated with the group include:

• Supply chain attacks: The group has been known to target smaller companies that are part of the supply chain of its intended target in order to gain access to sensitive information.
• Living-off-the-land: The group has been known to use binaries, scripts, or libraries that are already on the target system (or can be downloaded without raising suspicion) in order to avoid detection.
• Custom malware: The group has been known to use custom malware in its attacks, which is designed to avoid detection by modern security controls.
• Advanced reconnaissance: The group has been known to use advanced reconnaissance techniques in order to collect information about the target network and identify potential vulnerabilities.

Indicators of Compromise (IOCs)

BackdoorDiplomacy has been known to use a variety of different tools and techniques to compromise its targets. Some of the known IOCs associated with the group include:

• Command and control (C2) domains and IP addresses: The group has been known to use a variety of different C2 domains and IP addresses, including those associated with its known aliases (e.g. APT15, KeChang, NICKEL, and Vixen Panda).
• Malware: The group has been known to use a variety of different malware, including Turian and Quarian backdoors, as well as custom malware.
• Exploits: The group has been known to use a variety of different exploits, including those targeting unpatched systems to compromise internet-facing web applications such as Microsoft Exchange and SharePoint.

IOCs associated with BackdoorDiplomacy's Turian Backdoor

Turian is a custom implant used by BackdoorDiplomacy in its intrusions against diplomatic entities and telecommunication companies in Africa and the Middle East. The implant allows for remote access into targeted networks and is under active development by the group.

• File Hash (SHA-256): fcd08daed23591d77cd8031eb292ef30f1024d610d5716f4af75cddb1c729c04
• File Hash (SHA-256): f293ab13a04ff32ebfbe925b42eca80a57604d231ae36e22834bea0dbdcf26e2
• File Hash (SHA-256): ee7b0b19240e1083ca8c6183b578abc70f19b7c99c91af9842338524fa6b879e
• File Hash (SHA-256): e2589f9942e9ec6b9c385fec897ffc3a71fcd8d7e440e3302efc78760c40f926
• File Hash (SHA-256): c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
• File Hash (SHA-256): ec6fcff9ff738b6336b37aaa22e8afa7d66d9f71411430942aed05e98b3f4cd5
• File Hash (SHA-256): a43a4cd9c2561a4213011de36ac24ee1bf587663ed2f2ae1b1eac94aa2d48824
• File Hash (SHA-256): 7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595

IOCs for NPS Proxy Tool:

The NPS proxy tool is a custom-built tool that is used by BackdoorDiplomacy for reconnaissance and lateral movement. The following are the known IOCs associated with this tool:

• FileHash-SHA256: 06faa40b967de7168d16fec0519b77c5e319c6dc021578ed1eb8b337879018fe
• FileHash-SHA256: eff22d43a0e66e4df60ab9355fa41b73481faea4b3aa6905eac3888bc1a62ffa
• FileHash-SHA256: bbcd7dc60406a9fa439d183a10ad253426bae59424a0a1b91051d83d26bb0964

Command line arguments: "nps.exe -r host -t Port -u User -p Pass"

IOCs for IRAFAU Backdoor:

The IRAFAU backdoor is a custom-built tool that is used by BackdoorDiplomacy for remote access and control of the compromised systems. The following are the known IOCs associated with this tool:

• FileHash-SHA256: 9d167adc290de378071c31cfd8f2059523e978c6f14a7079157d564f976c544b
• FileHash-SHA256: e2589f9942e9ec6b9c385fec897ffc3a71fcd8d7e440e3302efc78760c40f926
• FileHash-SHA256: c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
• FileHash-SHA256: ec6fcff9ff738b6336b37aaa22e8afa7d66d9f71411430942aed05e98b3f4cd5
• FileHash-SHA256: a43a4cd9c2561a4213011de36ac24ee1bf587663ed2f2ae1b1eac94aa2d48824
• FileHash-SHA256: 7ed44a0e548ba9a3adc1eb4fbf49e773bd9c932f95efc13a092af5bed30d3595

IOCs for Quarian Backdoor:

Quarian is a custom-made remote access trojan (RAT) used by BackdoorDiplomacy in attacks targeting the Middle East. It is a predecessor of Turian and allows for a point of remote access into targeted networks.

• FileHash-SHA256: 06faa40b967de7168d16fec0519b77c5e319c6dc021578ed1eb8b337879018fe
• FileHash-SHA256: eff22d43a0e66e4df60ab9355fa41b73481faea4b3aa6905eac3888bc1a62ffa
• FileHash-SHA256: bbcd7dc60406a9fa439d183a10ad253426bae59424a0a1b91051d83d26bb0964
• FileHash-SHA256: 9d167adc290de378071c31cfd8f2059523e978c6f14a7079157d564f976c544b
• FileHash-SHA256: e2589f9942e9ec6b9c385fec897ffc3a71fcd8d7e440e3302efc78760c40f926
• FileHash-SHA256: c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
• FileHash-SHA256: ec6fcff9ff738b6336b37aaa22e8afa7d66d9f71411430942aed05e98b3f4cd5
• IPv4: 140.82.38.177
• IPv4: 185.169.131.210

IOCs for Other Tools:

• Hostname: uc.ejalase.org
• Hostname: support.vpnkerio.com
• Hostname: srv.payamradio.com
• Hostname: srv.fazlollah.net
• Hostname: proxy.oracleapps.org
• Hostname: plastic.delldrivers.in
• Hostname: picture.efanshion.com
• Hostname: news.alberto2011.com
• Hostname: mci.ejalase.org
• Hostname: mail.irir.org
• Hostname: info.payamradio.com
• Hostname: info.payamra-dio.com
• Hostname: info.fazlollah.net
• Hostname: cloud.skypecloud.net
• Hostname: cloud.microsoftshop.org
• Hostname: cloud.fastpaymentser-vice.com
• Hostname: 7f4d9fcanet.microsoftshop.org
• Hostname: 62ffauc.ejalase.org
• Hostname: 29c04uc.ejalase.org
• Hostname: 250f7cloud.crmdev.org
• Domain: vpnkerio.com
• Domain: microsoftshop.org
• URL: https://mail.irir.org:443
• IPv4: 140.82.38.177
• FileHash-SHA256: fcd08daed23591d77cd8031eb292ef30f1024d610d5716f4af75cddb1c729c04
• FileHash-SHA256: f293ab13a04ff32ebfbe925b42eca80a57604d231ae36e22834bea0dbdcf26e2
• FileHash-SHA256: ee7b0b19240e1083ca8c6183b578abc70f19b7c99c91af9842338524fa6b879e

Conclusion

BackdoorDiplomacy is a Chinese APT group that has been active since at least 2010. The group is known for its cyber espionage campaigns targeting government and diplomatic entities across North America, South America, Africa, and the Middle East. The group is known to use a variety of different tools and techniques to compromise its targets, including supply chain attacks, living-off-the-land, custom malware, and advanced reconnaissance. Businesses and organizations should be aware of the group's TTPs and implement security controls to detect and defend against BackdoorDiplomacy's attacks.